Many of the major healthcare information breaches reported since last September, when the HITECH Breach Notification Rule took effect, have involved the theft or loss of unencrypted laptops and other portable devices.
So if you do not have a portable device management plan in place, now is the time to act. Don't wait until an incident occurs to develop a plan of action.
Keep in mind that reducing the risks of exposure from portable devices and media requires much more work and planning than a simple laptop encryption program.
But keep in mind that reducing the risks of exposure from portable devices and media requires much more work and planning than a simple laptop encryption program.
Here are some suggested steps:
- Inventory the use of portable devices and media across ALL areas of the organization. This is a difficult, but critical task. If you do not know the size and scope of the problem, how can you expect to manage it?
- Examine ALL avenues of product acquisition, use and disposal. Does your organization have purchasing contracts in place for certain types of devices? Will your suppliers help you enforce your encryption policies? How about medical product vendors?
- Understand the data flow on and off each device type. What is the data content being stored on the drives? Determine the sensitivity of the data and the amount being transported. How are the devices being used relative to employee workflow? Don't leave CD/DVDs out of the equation. Often, radiology departments will use CD and DVD devices to record patient diagnostics for use in referrals.
- Develop an audit plan and gather statistics on the amount and type of data and devices being used within your organization. Conduct a thorough risk assessment for the use of portable computing and storage devices. Present your findings to senior management. Demonstrate ROI based on the costs associated with a breach. Solicit their buy-in for a holistic, problem-based approach. Once senior management support is obtained, educate the organization on the related issues. Provide real-life examples of recent breaches.
- If your organization doesn't have a portable media/device policy, develop one. Don't forget to address device ownership; data ownership; rules of behavior; contractors and temporary employees; media destruction or sanitization; appropriate identification of what constitutes sensitive information; and when it is appropriate to use a portable device. The policy should specify who may use portable devices under what conditions as well as the process to gain appropriate management approval.
- Educate ALL users on the content of the portable media/device policy and the organization's expectations of appropriate device handling and use. This is a great opportunity to remind your staff of the risks involved. Education should include training on how to properly transport the device, use it and safely remove sensitive information when it is no longer needed. A policy alone does not constitute an adequate control, nor is it effective in reducing risk. And you should be able to provide documentation validating the training of all staff members.
- Develop sound layered security controls to reduce risk. Consider the different types of devices and the encryption technologies available for each platform. For example, with laptops, are you encrypting the entire hard disk? If not, can you demonstrate that the individual properly placed a sensitive file within the encrypted container? Are you using hardware-based encryption or software-based tools? Software-based USB drives often require the user to have administrative rights on the computer they are using to mount the drive. Even if the individual has these rights on their office computer (not a good idea), would they expect to have them at a shared computer in a hotel or coffee shop?
- Investigate end-point security controls. While examining the different devices you need to legitimately service, examine methods and products that will enforce the use of appropriate devices. This will involve controls that can restrict computer USB ports to appropriate white-listed devices. Without such an end-point tool, policy cannot be enforced.
- Educate the workforce on how to acquire appropriate secure devices and how compliance will be enforced.
- If your end-point controls support operating in an audit mode, deploy it to monitor USB device activity. This will help fill in areas of device usage you may have missed, such as biomedical devices and dictation equipment. Finally, deploy your endpoint controls SLOWLY. Allow areas to become comfortable with the controls and adequate time to purchase the appropriate tools. After sufficient roll out, routinely audit compliance and continue to educate the workforce. Healthcare organizations can experience significant turnover. The success of your program will depend on your educational efforts and the availability of support staff to address issues promptly as they occur.
Terrell Herzig is HIPAA security officer at UAB Health System in Birmingham, Ala. Herzig, who serves as the equivalent of a chief information security officer, heads a team of three security specialists at the delivery system, which includes a 1,000-bed hospital and numerous outpatient facilities throughout the state. He is one of the authors of a new book, "Information Security in Healthcare: Managing Risk," published by the Healthcare Information and Management Systems Society.